Protecting keys using a TPM

David Woodhouse dwmw2 at
Fri Mar 8 06:43:41 PST 2013

On Fri, 2013-03-08 at 15:16 +0100, Stef Walter wrote:
>    This solves David's use case, and requires a bit more involvement
>    from the application. David has a thing for keys at specific
> paths :P

A little bit :)

I maintain scripts, which I just described in another mail, which
provision certs from our company PKI service and configure VPN and
wpa_supplicant to use them. They have to work on fairly much all
distributions and need to be kept simple.

These certs have a validity of 6-12 months, and users are required to
re-run the scripts to fetch a new cert when they expire.

(Oh, the scripts also fetch all the company CAs that should be trusted,
and would ideally stick them into the central trust database... if we
had one that actually worked. The closest we have so far is the NSS
shared system database and even Firefox *itself* doesn't use that!
Although I know Stef is working on this.)

It would be lovely if this worked as well as it does on Windows, but it
doesn't. If I'm dealing with OpenSSL (which I probably am with most
distros' builds of OpenConnect and wpa_supplicant) then I probably don't
even *have* PKCS#11 support. The *only* thing I can do is point the
vpn/wpa configuration at a file and then update that file when

I would *love* to get to the point where I can use a sane trust/cert
database and point the clients at it to select a cert by its X509v3
Extended Key Usage field, and this would work on every distro I need to
care about. But currently it works on *none* of them, and it'll be a
little while before I can stop caring about files.

(We don't actually use the TPM in the general case. The scripts support
it but we don't make people use it. The IT department abandoned the use
of the TPM because the state of the Windows support was too poor.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list